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Claims 

This listing of claims will replace all prior version and listings of claims in the 
application: 

1 . . (Currently' amended) A method of analyzing network communication traffic on a 
data communication network for determining whether the traffic is legitimate or 
potential suspicious intrusion activity, comprising the steps of: 

monitoring packets exchanged between two hosts on the data 
communication fretwork; 

identifying a flow corresponding to a predetermined plurality of 
packets exchanged between the two hosts that relate to a single service and 
is delimited bv a predetermined event assigning paokoto to a flow ; 

coll e cting flow data - ftom^Qokot headers; 

assigning analyzing collected flow data - to assign a concern index 
value to an identified the flow based upon a probability predetermined 
characteristic of that the flow was not normal for data Qomm tt a i cations ; 

maintaining an accumulated concern index comprising concern 
index values for one or more identified iee flows associated with a host; 
and 

issuing an alarm signal eaee in the event that the accumulated 
concern index has e xc ee d e d for a host exceeds an alarm threshold value. 



2, (Currently amended) The method of claim 1 , wherein the predetermined event for 
delimiting a flow is selected from the group comprising the elapse of a 
predetermined period of time wherein no packets are exchanged between two 
hosts, the occurrence of a FIN flag, predetermined characteristics of traffic on a 
given port, and the occurrence of a RESET packet the flow oonQistc of tho 
packets e xchangodbotwoon nS wo hosts that are associated with a s ingl o oorvice . 
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3 . (Currently amended) The method of claim 1 , further comprising the step of 
communicating a message to a firewall to drop packets going to or from the 
particular host in response to whegeia the alarm signal update a a firovvall for 
filtering pack e t s transmitted by a host 

4. (Currently amended) The method of claim 1 7 wherein the alarm signal generates a 
notification to a the network administrator. 

5. (Currently amended) The method of claim 1 , wherein each concern index value 
associated with a predetermined event roopoctivo pot e ntial intrusion activity is a 
predetermined fixed value. 

6. (Currently amended) A method of analyzing network communication traffic on a 
data communication network for determining whether the traffic is legitimate or 
potential suspicious intrusion activity, comprising the steps of: 

monitoring packets exchanged between two hosts that are 
associated with a single service on the data communications network: 

identifying a flow corresponding to a predetermi ned plurality of 
assigning paolcot s to a flow, wheroin a flow oonsists of tho -packets 
exchanged between the two hosts that aro a ss ociat e d with a single s o r vioo ; 

collecting flow data from packet headers of the packets in the 
identified flow : 

based on the collected flow data, assigning analyzing coll e ct e d 
flow data to assig n a concern index value to the flow based on a 
predetermined characteristic of the flow whoroin oach concern - indox valuo 
associated with a respective pot e ntial intrusion activity is a prodotorminod 
fixod valu e; 
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maintaining an accumulated concern index from flows that are 
associated with a particular host; aad 

issuing an alarm signal in the event that eeee the accumulated 
concern index for the particular host exceeds has e xc e ed ed an alarm 
threshold value; and 

in response to the alarm signal, sending a message to a utilization 
component. 



7. (New) (NOTE: NO CLAIM PRESENTED FOR CLAIM 7 IN ORIGINAL 
APPLICATION DUE TO TYPOGRAPHICAL ERROR) The method of claim 6. 
wherein the utilization components selected from the group comprising: network 
security device, email, SNMP trap message, beeper, cellphone firewall, network 
monitor, user interface display to an operator. 



8. (Currently amended) A method of analyzing network communication traffic on a 
data communication network for determining whether the traffic is legitimate or 
potential suspicious intrusion activity, comprising the steps of: 

monitoring the exchange of packets between two hosts each having 
a particular Internet Protocol (IP) address: 

identifying a flow corresponding to a predetermined plurality of 
packets exchanged between a particular port of one of the hosts that 
remains constant during the plurality of packets assigni ng packot5 4e-& 
flow A wherein a - flow consists of the paokoto oxohangod botwoon two 
Intornot Protoool - addr e ss e s with at least ono port - r e mains constant ; 

collecting flow data from packet headers of the packets in the 
identified flow : 

based on the collected flow data, assigning onalv2ing collected 
flow data to assign a concern index value to the flow; 
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maintaining a host data structure containing aa accumulated 
concern index values from a plurality of flows that are associated with the 
particular host; and 

issuing an alarm in the event that ease the accumulated concern 
index values for the particular host has exceeded an alarm threshold value. 

9. (Currently amended) The method of claim 8, wherein each concern index value 
associated with a respective potential suspicious intrusion activity is a 
predetermined fixed value. 

10. (Currently amended) A system for analyzing network communication traffic and 
deteTminm g potential_suspicious activity, comprising: 

a - oomputer syst e m op e rabl e to classify packets into flowo, oolloct flow data from 
pa&kot hoador "information, analyz e coll e cted flowdata - to assign a - conc e rn in dex 
valuo whoroin oaeh-eenoen* index value associated with a roGp e ofev e pot e ntial 
intrusion activity is a prodotorminod fix e d valu e , and g e nerate an nlorm r cignal; 
a computer system operative to: 

a) monitor the communication of packets on a data communication 
network: 

b) classify the monitored packets into flows, wherein a flow 
corresponds to a predetermined plurality of packets exchanged 
between two hosts that are associated with a single service on the 
network; 

c) analyze the flows in order to assign a concern index value to a flow 
that may signify potential suspicious activity, wherein each 
concern index value associated with a respective potential 
suspicious activity is of a predetermined fixed value; 

d) generate an alarm signal in response to cumulated concern index 
values; and 
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a communication system coupled to the computer system operative to 
receive packets communicated between hosts on the network oporablo to s e nd 
pfl ok -e t s -froin one host to anoth e r ho s t . 

1 1 . (Currently amended) A system for analyzing network communication traffic and 

determining potential suspicious activity, comprising: 

a procogoor oporablo to classify pack e ts into flowo, oollootflow data from 
paolcot header inforaiarion, analyz e coll e cted flew data to assign a concern 
ind e x valu e wh e r e in e ach oonoorn index valu e associated with a roopootivo 
pot e ntial intrusion activity is a prodo t orminod fix e d valu e , and gen e rate on 
alarm sig ^alf 
a processor operative to: 

a) monitor the communication of packets on a data 
communication network: 

b) classify the monitored packets into flows, wherein a flow 

corresponds to a predetermined plurality of packets 
exchanged between two hosts that are associated with a 
single service on the network: 

£> maintain a flow data structure for storing data 

corresponding to a plurality of flows: 

d) analyze the flows in the flow data structure in order to 
assign a concern index value to a flow that may signify 
potential suspicious activity, wherein each concern index 
value associated with a respective potential suspicious 
activity is of a predetermined fixed value: 

e) cumulate assigned concern index values of one or more 
flows associated with a particular host: 
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f| maintain a host data structure for storing data associating a 
cumulated concern index value with each one of a plurality 
of hosts; and 

g) generate an alarm signal in response to cumulated concern 
index values in the host data structure: 

a memory coupled to the processor and operative oporablo to store 
the flow data structure and the host data structure th e flow data : 
a database oouplod to proc e ssor operable to - gtogo log filoo ; and 

a network interface coupled to the processor operative to receive 
packets on the data communication network oporablo to monitor n e twork 
traffic . 

12. (Currently amended) A method of analyzing network communication traffic on a 
data communication network for potential suspicious intrusio a activity, 
comprising the steps of: 

monitoring packets exchanged between two hosts on the data 
communication network: 

analyzing pao k o t h o ad o r information; 

identifying packets provided bv one of the two hosts that have 
d e terminin g a transport level protocol specifying a packet format that 
includes a data segment of a data aroa : 

in response to determination that the transport level protocol is a 
User Datagram Protocol I UDP) packet and the data segment associated 
with the UDP packet contains two bytes or less of data, storing a concern 
index value of a predetermined amount in a memory in association with 
informatiott identifying the host that issued the UDP packet: and 

issuing an alarm when the cumulated concern index value 
associated with the host exceeds a predetermined threshold level transport 
l e v e l protocol is identified as Us e r Datagram Protocol (UDP) and tho d ata 
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se^ a e nt associat e d with User Datagram Protocol pack e t contains two - oF 
te sfi bytes of data , 

1 3. (New) The method of claim 6, wherein a flow is determined as terminated in 
response to a predetermined event selected from the group comprising the elapse 
of predetermined period of time where no packets are exchanged between two 
hosts, the occurrence of a FIN flag, predetennined characteristics of traffic on a 
given port, and the occurrence of a RESET packet. 

14. (New) The method of claim 8, wherein a flow is determined as terminated in 
response to a predetermined event selected from the group comprising the elapse 
of a predetermined period of time wherein no packets are exchanged between two 
hosts, the occurrence of a FIN flag, predetennined characteristics of traffic on a 
given port, and the occurrence of a RESET packet, 

15. (New) The system of claim 10, wherein a flow is determined as terminated in 
response to a predetermined event selected from the group comprising the elapse 
of a predetermined period of time wherein no packets are exchanged between two 
hosts, the occurrence of a FIN flag, predetermined characteristics of traffic on a 
given port, and the occurrence of a RESET packet. 

16. (New) The system of claim 11, wherein a flow is determined as terminated in 
response to a predetermined event selected from the group comprising the elapse 
of a predetermined period of time wherein no packets are exchanged between two 
hosts, the occurrence of a FIN flag, predetermined characteristics of traffic on a 
given port, and the occurrence of a RESET packet. 

17. (New) The method of claim 1, wherein the single service comprises a port 
number remaining constant for a plurality of packets. 
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18. (New) The method of claim 1, wherein the suspicious activity is from an inside 
address or from an outside address. 

19. (New) The method of claim 1 , wherein the concern index for a suspicious 
activity is derived by reference to a table of predetermined suspicious activities 
each having a predetermined concern index value. 

20. (New) The method of claim 1 , wherein the host for which the concern index is 
accumulated is an inside host 

2 1 . (New) The method of claim 1 , wherein the host for which the concern index is 
accumulated is an outside host. 

22. (New) The method of claim 1, wherein the steps are carried out in a monitoring 
appliance. 

23. (New) The method of claim 22, wherein the monitoring appliance is installed 
behind a firewall. 

24. (New) The method of claim 22, wherein the monitoring appliance is connected 
before a firewall. 

25. (New) The method of claim 22, wherein the monitoring appliance is connected in 
aDMZ. 

26. (New) The method of claim 22, wherein the monitoring appliance is configured 
to operate as a pass-by filter. 
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27. (New) The method of claim 22, wherein the monitoring appliance is coupled to a 
network device. 

28. (New) The method of claim 27, wherein the network device is selected from 
group comprising: router, switch, hub, tap. 

29. (New) The method of claim 27, wherein the network device is a network security 
device. 

30. (New) The method of claim 1 , wherein the monitoring of packets comprises 
monitoring on packet header information only. 

31. (New) The method of claim 1, wherein the monitoring of packets is carried out in 
a device operating in a promiscuous mode. 

32. (New) The method of claim 1 , wherein the alarm signal is provided to a 
utilization component. 

33. (New) The method of claim 32, wherein the utilization component is selected 
from the group comprising: network security device, email, SNMP trap message, 
beeper, cellphone, firewall, network monitor, user interface display to an operator. 
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